Table Of Contents

Configuring Flexible NetFlow

Flow is defined as a unique set of key fields attributes, which might include fields of packet, packet routing attributes, and input and output interface information. A NetFlow feature defines a flow as a sequence of packets that have the same values for the feature key fields. Flexible NetFlow (FNF) allows you to collect and optionally export a flow record that specifies various flow attributes. NetFlow collection supports IP, IPv6 and Layer 2 traffic.

1. The Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed packets; it does not support Flexible Netflow on egress traffic.

2. Supervisor Engine 7-E and Supervisor Engine 7L-E supports a 100,000 entry hardware flow table, which is shared across all the ports and VLANs on the switch. To limit the number of table entries on a given interface or VLAN, enter the cache entriesnumber command.

The following example illustrates how to configure the flow monitor m1 cache to hold 1000 entries. With this configuration, interface gig 3/1 can create a maximum of 1000 flows and interface gig 3/2 can create a maximum of 1000 flows:

flow exporter e1

! exporter specifies where the flow records are send to

destination 20.1.20.4

!

flow record r1

! record specifies packet fields to collect

match ipv4 source address

match ipv4 destination address

collect counter bytes long

collect counter packets long

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

flow monitor m1

! monitor refers record configuration and optionally exporter

! configuration. It specifies the cache size i.e. how many unique flow

! records to collect

record r1

exporter e1

cache timeout active 60

cache timeout inactive 30

cache entries 1000

!interface GigabitEthernet 3/1

! layer2-switched allows collection of flow records even when the packet is

! bridged

ip flow monitor m1 layer2-switched input

!

interface GigabitEthernet 3/2

ip flow monitor m1 input

!

3. Flow collection is supported on multiple targets (Port, VLAN, per-port per-VLAN (FNF can be enabled on a specific VLAN on a given port)) and on a port-channel (FNF is configured on the port-channel interface, rather than individual member ports).

4. 64 unique flow record configurations are supported.

5. Flow QoS/UBRL and FNF cannot be configured on the same target. (For information on Flow-based QoS, see the section Flow-based QoS.)

6. 14,000 unique IPv6 addresses can be monitored.

7. On a given target, one monitor per traffic type is allowed. However, you can configure multiple monitors on the same target for different traffic types.

For example, the following configuration is allowed:

! vlan config 10

ip flow monitor <name> input

ipv6 flow monitor <name> input

!

The following configuration is not allowed:

!

interface GigabitEthernet 3/1

ip flow monitor m1 input

ip flow monitor m2 input

8. On a given target monitoring Layer 2 and Layer 3, simultaneous traffic is not supported:

interface channel-group 1

datalink flow monitor m1 input

ip flow monitor m2 input

!

9. Selection of Layer 2 and Layer 3 packet fields in a single flow record definition is not allowed. However, ingress 802.1Q VLAN Id of packet and Layer 3 packet field selection is allowed.

10. In order to attach a monitor to port or port-vlan targets, a flow record matching on ingress 802.1Q VLAN Id as key field, must match on input interface also as key field.

Note The match datalink dot1q vlan input option is unavailable prior to IOS Release XE 3.3.0; you would only see the input option starting with the IOS Release XE 3.3.0.

Forwarding status for the packet (forwarded, terminated in the router, dropped by ACL, RPF, CAR)

Supported as a non-key field

Layer 4 Header Fields

Field

Description

Comments

TCP Header Fields

destination-port TCP destination number

TCP destination port

flags [ack] [fin] [psh] [rst] [syn] [urg]

TCP flags.

Supported as non-key fields.

source-port

TCP source port

UDP Header Fields

destination-port

UDP destination port

source-port

UDP source port

ICMP Header Fields

code

ICMP code

type

ICMP type

IGMP Header Fields

type

IGMP

Interface Fields

input

Input interface index

output

Input interface index

Output interface can be supported only as non-key.

Flexible NetFlow feature related fields

direction: input

Counter Fields

bytes

32 bit counters

bytes long

64 bit counter

packets

32 bit counters

packets long

64 bit counter of the packets in the flow

Timestamp

first seen

Time-stamp of the first packet that is accounted in the flow (in milliseconds, starting from the router boot-up)

3 sec accuracy

last seen

Time-stamp of the last packet that is accounted in the flow (in milliseconds, starting from the router boot-up)

3 sec accuracy

Configuring Flow Monitor Cache Values

Setting active cache timeout to a small value may cause the flows to be exported more frequently to the remote collector. This also causes software to delete flows from the local cache after exporting. So, cache statistics reported by switch may not display the actual flows being monitored.